Security Statement

ABN: 64 108 741 214
Effective date: 4 June 2026
Contact: admin@getkova.co

1. About this statement

Kova processes design, project, and workflow data that may be commercially sensitive.

This Security Statement explains the security measures Kova uses to protect accounts, workspaces, integrations, and customer data.

2. Security principles

Kova is built around the following principles:

  • collect only what is reasonably required
  • restrict access by workspace and role
  • encrypt sensitive credentials at rest
  • validate user input
  • use secure third-party infrastructure
  • monitor for misuse and abuse
  • keep human review in the loop for AI-generated output

3. Account security

Kova uses authenticated accounts to control access to the application.

Users are responsible for:

  • using strong passwords
  • protecting login credentials
  • managing team access carefully
  • removing users who no longer need access
  • protecting connected third-party accounts
  • notifying us of suspected unauthorised access at admin@getkova.co

4. Workspace isolation

Kova is designed so that users can only access data belonging to their authorised workspace.

Workspace-level access controls are used to separate customer data.

5. Role-based access control

Kova supports user roles including owner, admin, member, and viewer.

Permissions control actions such as:

  • viewing projects
  • generating tickets
  • pushing tickets to project management tools
  • managing integrations
  • inviting team members
  • changing roles
  • managing billing
  • deleting workspaces

6. Integration security

Kova may connect to third-party tools such as Figma, Jira, Linear, Asana, Slack, Telegram, and other systems.

Sensitive OAuth tokens and access credentials are encrypted at rest.

Users should only connect integrations they are authorised to use.

7. Encryption

Kova encrypts sensitive integration credentials at rest.

Data is encrypted in transit using HTTPS/TLS. Data at rest is also encrypted by our infrastructure providers.

8. Input validation and abuse prevention

Kova uses input validation and security controls to reduce the risk of:

  • injection attacks
  • malformed requests
  • cross-site scripting
  • unauthorised API access
  • excessive or abusive requests
  • suspicious activity

Rate limiting and abuse prevention measures are applied across the platform.

9. Audit logs and monitoring

Kova logs security-relevant activity, including:

  • logins
  • integration changes
  • member invites
  • role changes
  • project actions
  • ticket generation events
  • API errors
  • rate-limit events
  • security events

These logs help with troubleshooting, security monitoring, and compliance.

10. Third-party infrastructure

Kova uses third-party providers for hosting, database, authentication, AI processing, billing, email, analytics, and integrations.

A full Subprocessor List is available at www.getkova.co/subprocessors.

11. AI processing security

Kova sends relevant authorised data to AI infrastructure or model providers to generate output.

We minimise the data sent and use providers appropriate for the service being delivered.

Users should not process data through Kova unless they are authorised to do so.

12. Incident response

If we become aware of a security incident affecting customer data, we will:

  • investigate the incident promptly
  • take reasonable steps to contain and remediate the incident
  • notify affected customers without undue delay, and where required under the Australian Privacy Act 1988 (Cth) Notifiable Data Breaches scheme, within 72 hours of becoming aware that a breach is likely to have occurred
  • provide customers with sufficient information to allow them to meet their own notification obligations where applicable

13. Security limitations

No online service is completely secure.

Kova cannot control:

  • user device security
  • weak or reused passwords
  • unauthorised sharing of account access
  • misconfigured third-party tools
  • changes or failures in third-party APIs
  • data users upload without proper authorisation

14. Reporting security issues

To report a security issue, please review our Responsible Disclosure Policy and contact:

Kova
ABN 64 108 741 214
Email: admin@getkova.co
Website: www.getkova.co

Please include enough detail for us to investigate the issue responsibly. We will acknowledge all reports within 5 business days.

Also available: Privacy Policy · Terms of Service · Responsible Disclosure